Getting Data In

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

efcasado
New Member

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.

I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z

This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):

[syslog]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false

This is how Splunk is outputing my log messages:

2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message

As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone

%Y-%m-%dT%H:%M:%S.%6N%z

Bye.
Giuseppe

0 Karma

koshyk
Super Champion

can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...